Cyber Incident Response & Forensic Readiness

It is a fact that more and more organisations are experiencing cyber breaches and their ability or inability to respond in a timely manner can have a significant impact on their business. A poorly executed response can reflect badly on an organisation which will impact certain aspects of the business such as, share price, customer perception, reputation, and short and long term revenue.With this in mind, organisations need to have a robust, tested and well understood incident response policy and plan in place.In the event that an organisation’s business is brought to a standstill by an unwanted or unforeseen event, the business needs to recover and continue with as little fuss as possible. This is where strategies such as incident response, awareness training, disaster recovery and business continuity planning have become vital components of organisations’ operational structure.Even if your organisation has a mature incident response plan where it is tested and reviewed on a regular basis, what in certain scenarios or during the recovery of an incident it becomes apparent, or there is suspicion of foul play? An investigation may need to be conducted against an employee(s), third parties or an unknown external source. Just a few examples of investigations that may need to be conducted are:

Fraud

IP Theft

Harrasment

Negligence

Sabotage

Digital evidence becomes very important when such issues arise in an organisation that uses IT infrastructure as users of information systems leave digital footprints whenever they use them, be they computer systems, smartphones, tablets or the corporate network.Of course an organisation can carry out digital investigations whereby going to court would not be necessary, such as for employee monitoring (where that is considered acceptable), or a malware investigation. Such a case may not necessarily require handling the evidence in a legally acceptable manner. However, there is the possibility that what at first glance seems a straightforward investigation may lead to a full on forensic analysis. When this occurs, it is very often all too much for the IT department and incident response team to deal with effectively and can be way beyond their expertise, and by this time it is too late.Something that requires legal action may be uncovered (e.g., IP theft or fraud). In such a case, evidence being presented in court must be collected and documented in a legally acceptable manner for admissibility. And if this has not been done in the first instance, an organisation can leave themselves wide open and may ultimately make any digital evidence inadmissible.Having a forensic readiness plan in place goes a long way toward ensuring such investigations can be handled and presented so that the organisation does not inadvertently damage a case.3EF Ltd can provide consultancy and advice that will review and critically evaluate any policies, plans and procedures. This can be achieved a number of ways depending on your organisation.

Planned individual interviews at your organisation with key members of staff such as the IT security manager, IT support desk manager and HR manager;

and/or, run a workshop (usually one or two days) where all the key members of staff attend and collaborate, and in certain circumstances proposed policy changes can be drafted and even implemented dynamically.

3EF would then report on findings including any shortfalls and provide recommendations.We can also provide a 1 day ‘First Responder’ training where we teach the front line members of staff how to collect, preserve and protect digital evidence. This can be in addition to our ‘Cyber Security Incident Response Planning’, and ‘Forensic Readiness Planning’, or as a stand alone feature.